Cisco Catalist Upgrading 2900, 5500 and 3700 Stacks
KB ID 0001630 Problem People are often nervous about doing this, I’m not sure why because Cisco have made it painfully simple now. That’s because instead of the old /bin files we used to use, you can now upgrade a switch (or a switch stack) using a .tar file with one command, (and it will also upgrade all the stack members and the firmware on any other network modules you have in the switches at the same time). Yes it does...
Add a Static (One to One) NAT Translation to a Cisco ASA 5500 Firewall
KB ID 0000691 Problem If you have a spare/available public IP address you can statically map that IP address to one of your network hosts, (i.e. for a mail server, or a web server, that needs public access). This is commonly referred to as a ‘Static NAT’, or a ‘One to One translation’. Where all traffic destined for public address A, is sent to private address X. Note: This solution is for firewalls running...
ASA Local CA Depreciated: Use Windows CA
KB ID 0001616 Problem I got an email about this last night, I rarely ever use the ASA as a Local CA, But that has now been completely depreciated, (post version 9.12(x)) The documentation tells us; Local CA server is deprecated in 9.12(1), and will be removed in a later release—When ASA is configured as local CA server, it is enabled to issue digital certificates, publish Certificate Revocation Lists (CRLs), and securely revoke issued...
Bring up a VPN Tunnel From the ASA
KB ID 0001604 Problem A colleague was doing a firewall migration yesterday and I offered to sit in, in case he had any problems, one of the tasks was a VPN tunnel getting migrated, this is usually painless, (if you have control of both ends!) But in this case we didn’t, and it’s usually the case, when there’s VPN problems, the people at the {ahem} ‘less experienced,’ end of the tunnel tend to blame the...
Cisco ASA Site to Site IKEv2 VPN Static to Dynamic
KB ID 0001602 Problem Site to Site VPNs are easy enough, define some interesting traffic, tie that to a crypto map, that decides where to send the traffic, create some phase 1 and phase 2 policies, wrap the whole lot up in a tunnel-group, and you’re done! But there needs to be a ‘peer address’ in the crypto map, and if one end of the VPN is on DHCP that address is likely to change, so you cant supply that? The...
Adding New Networks to Cisco AnyConnect VPNs
KB ID 0001593 Problem Note: To add new subnets to a traditional Site to Site VPN, see the following article instead; Cisco ASA – Adding New Networks to Existing VPNs I see this get asked in online forums A LOT. If you have an existing AnyConnect VPN setup, and then need to add another network how do you do it? Well that depends on where the new network is, and how it’s entering the firewall, these diagrams can be either way...